The biggest vulnerability in cybersecurity

Welcome to Runtime! Today: why companies continue to worry about a shortage of cybersecurity professionals, money starts flowing from the CHIPS Act, and the quote of the week.

(Was this email forwarded to you? Sign up here to get Runtime each week.)

Mind the skills gap

The cybersecurity industry continues to have trouble filling all the jobs it believes it needs to keep the world's economy secure. And despite years of effort and attention to this problem, it's hard to find signs of progress.

New research out this week from ISC2, as highlighted in the Financial Times, concluded that employers need to fill 3.7 million cybersecurity jobs, measured against the total workforce of 4.7 million currently employed. "The gap was particularly wide in the aerospace, government, education, insurance and transportation sectors," according to the FT, which if anything understates the problem given the importance of those sectors to daily life.

• The root of the problem is the same as it ever was: 73% of employers say they value "hands-on cybersecurity experience" as a primary factor when making hiring decisions.
• However, they also cite "soft skills" as the most important trait they need in new hires, which in an ideal world would lead them to create entry-level jobs to train candidates on the hard technical skills.
• But companies aren't doing that: Protocol Enterprise covered this issue more than a year ago when 2.7 million cybersecurity jobs were outstanding, and it would appear the lack of entry-level jobs has gotten worse.
• They're also finding it hard to retain current employees, given the demand for "qualified" workers and the salaries that companies are willing to pay for people with experience.

More than half of employers still require a four-year college degree for cybersecurity candidates, according to ISACA research.

• There's no question that a formal education in computer science will help someone interested in a cybersecurity career, but there's no reason why that education has to take place inside a traditional college or university environment.
• As anyone who has spent even a limited amount of time around cybersecurity professionals knows, the people who tend to wind up in this field come from a far more eclectic set of backgrounds and personality types than your average tech professional.
• ISC2 wants to offer new certification programs catering to those without formal cybersecurity experience, and those kinds of programs have helped so many people start careers in tech, including superstars like former Google engineer Kelsey Hightower.
• But there's so much more that the deep-pocketed tech companies of the world could do to nurture people interested in a cybersecurity career that lack traditional experience or training; apprenticeships, mentoring programs, and/or retraining opportunities for current employees looking for something new.

You don't have to have lived in Las Vegas for the last week to understand how important cybersecurity has become to nearly every business in the 21st century.

• This will be especially true over the next decade as speculation around generative AI technologies hoovers up all kinds of new data about the way people live and work online.
• Data collected is data that will be used, for both its intended purpose and for hostile purposes should it fail to be protected.
• Those same AI tools could actually help a lot of cybersecurity teams wring more productivity out of their existing personnel, as we covered earlier this year.
• But there's a strong possibility they will also create new attack vectors and problems we have yet to foresee, and somebody will need to clean up those messes.

A side of chips

The first cash grants made possible by the passage of the CHIPS Act last year started flowing out to research institutions and universities this week, and the multibillion-dollar chip manufacturers that lobbied so hard for the bill will have to wait.

Only $238 million of the $53 billion in subsidies authorized by the law was released this week, which means it will take a very long time before the bill has any real impact on domestic chip manufacturing. According to The New York Times, the grants will go to researchers working on "new chips for use in electromagnetic warfare, artificial intelligence, 5G and 6G wireless technologies, and quantum computing, among other areas."

However, on Friday the Biden administration released new rules preventing the CHIPS Act money from being used in China, which Reuters reported was a prelude to the release of additional funds. That might help accelerate bigger projects like TSMC's plans for a massive fab in Arizona, which have been delayed thanks to several problems.

Quote of the week

“If you go to the banks and financial institutions and talk to the CTO, they’ll tell you that they’re running COBOL code from the sixties, and those developers from the sixties are all retired now. And that code back then was not written with unit tests and with CI/CD, so somebody has to maintain that and, hopefully, transform that COBOL code to Java or Python. And we’re not even talking yet about code from the seventies, the eighties, or the nineties.” — GitHub CEO Thomas Dohmke, reassuring attendees of TechCrunch Disrupt this week that generative AI won't kill the software-engineering industrial complex any time soon.

The Runtime roundup

The Big Three cloud companies might have to report customer purchases of AI services beyond a certain threshold if new rules under consideration by the White House come to pass, according to Semafor.

Ransomware attacks on companies making more than $100 million in revenue rose 20% last year, according to new research.

Thanks for reading — see you Tuesday!